Hey there, I've got a site with only one cookie, which I believe contains both the user's ID number, and password possibly encoded into a digest of some sort. It is 27 characters long and it is comprised of uppercase and lowercase letters, and numbers. If anyone has any clue on what this could be and how to decode it, that would be helpful, thanks!

You've always got the easy targets - like the "gmailchat" cookie in mail.google.com. The main reason a site would put a password in a cookie is if they were doing client-side authentication (ie, password verification through JavaScript, or maybe through ActionScript), which is inherently insecure - the client has full control over the environment, and can bypass authentication as needed.

That or they're lazy.

If I were to store authentication client-side, it would be a one-time authentication token with both server- and client-side expiry, that I'd update with every n client-server interactions. If you'd tried to scrape Facebook for data a few months back you would have come across a good implementation like this (which, incidentally is a solid XSRF defense, but doesn't do anything against XSS). I haven't checked recently, and now that certain information is available to search engines, I don't know that this is implemented as ubiquitously.

The reason I am looking to find out how it is encoded is not to get information from it but reform a hash myself. I have uid and passhashes but the cookie is formulated somehow to contain the uid and passhash into that 27 character hash. I'm pretty stuck on what to do.